The certificate toolbox
you can actually trust.
Decode, validate and inspect TLS certificates without ever uploading them. Everything runs in your browser. No accounts, no ads, no analytics.
Our tools
100% client-side. Built with Web Crypto + @peculiar/x509.
Single-purpose tools, one URL each, no upsell. Open source — read the code.
Decode & inspect
Parse certificates, CSRs and keys in your browser — never uploaded.
Validate
Chains, hostnames, key/cert pairs — formal checks against RFC 5280 / 6125.
Chain Builder & Validator
Paste a bundle of PEM blocks. Reorder them into a valid leaf → root chain, spot what's missing and export a clean fullchain.pem.
Key ↔ Cert Matcher
Confirm a private key and certificate match. Both stay in your browser — Web Crypto only.
Hostname / SAN Validator
Test which hostnames a certificate covers under RFC 6125 — wildcards, IDN, CN fallback.
ACME helpers
External account binding, DNS-01 challenge math, provider quick-refs.
Compliance EU
NIS2, DORA, eIDAS 2.0 — TLS posture mapped to the articles.
Trusted external tools
Curated, opens in a new tab.
Some jobs need infrastructure we cannot replicate in a static site — live TLS handshakes, transparency log indexing, OCSP queries. These are the ones we trust.
Probe & scan
Qualys SSL Labs
externalThe reference TLS server grader. Slow but authoritative.
Hardenize
externalFast multi-protocol scan: TLS, DNSSEC, HSTS, email security.
Mozilla HTTP Observatory
externalOpen-source security headers + cookies + TLS analyzer by Mozilla.
testssl.sh
externalThe gold-standard self-hosted TLS scanner. CLI, no telemetry.
Revocation Check
externalThe only OCSP / CRL checker that still works well.
Monitor
Compliance EU
internet.nl
externalEU benchmark for internet standards. Operated by the Dutch Internet Standards Platform.
ENISA NIS2 Guidance
externalOfficial ENISA technical implementation guidance (June 2025).
nis2-public
externalOpen-source platform for NIS2 continuous posture management — governance, technical validation and incident response in one self-hosted stack.
Managing dozens of certificates?
Public TLS certificate lifetimes are on a published path down — the CA/Browser Forum ballot SC-081v3 caps maximum validity at 200 days from March 2026, 100 days from 2027, and 47 days by 2029. CertMate is the open-source manager built for that automation reality. SC-081v3 ↗